Module 2: CMMC 2.0 Levels, Data Types, and Assessment Models - CMMC 2.0 Expert Path: From Framework Basics to Contract-Ready Compliance

Orienting to CMMC 2.0 Levels and Data Types

In Module 1, you saw why CMMC 2.0 exists and who it affects. In this module, you will map that big picture onto three concrete dimensions:

CMMC 2.0 levels (1, 2, and 3)
Data types (Federal Contract Information vs. Controlled Unclassified Information)
Assessment models (self, third-party, and government-led)

As of today (December 2025), CMMC 2.0 is being implemented through:

The updated DFARS 252.204-7012 (safeguarding CUI)
CMMC-related clauses: DFARS 252.204-7021 and associated rulemaking
Integration with NIST SP 800-171 Rev. 3 (finalized in 2024) for CUI protection

Historically, CMMC 1.0 had 5 levels and its own bespoke practices. CMMC 2.0 collapsed this to 3 levels and aligned Levels 2 and 3 directly with existing NIST frameworks:

Level 1 → Based on FAR 52.204-21 (basic safeguarding of FCI)
Level 2 → Based on NIST SP 800-171 (CUI)
Level 3 → Based on a subset of NIST SP 800-172 (Enhanced Security Requirements for CUI)

In this module you will:

Dissect each level’s control expectations and typical contractor profile
Distinguish FCI vs. CUI precisely and see how they drive level selection
Analyze assessment requirements (self, C3PAO, DIBCAC) by level and contract type
Practice determining a target CMMC level from realistic contract scenarios

Keep in mind: the Department of Defense (DoD) may refine details through updated rulemaking, but the core logic of levels, data types, and assessment models is now stable.

Step 1 – Data Types: FCI vs. CUI (the Foundation of CMMC Levels)

CMMC levels are data-driven. Before you think about controls or assessments, you must know what kind of information is in scope.

Federal Contract Information (FCI)

Current definition (FAR 52.204-21):

> Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. It does not include information provided by the Government to the public (such as on public websites) or simple transactional information, such as that necessary to process payments.

Key characteristics of FCI:

Sensitive but low-impact if disclosed
Often includes:
Non-public statements of work (SOWs)
Non-public project schedules, internal reports
Non-public pricing details and performance metrics
Does NOT include classified information or CUI

Controlled Unclassified Information (CUI)

Current definition (32 CFR Part 2002 & DoD CUI Registry):

> Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and Government-wide policies, but is not classified.

Key characteristics of CUI:

Can be mission-critical or national-security relevant even though not classified
Includes categories such as:
Export-controlled technical data (e.g., ITAR/EAR-controlled)
Critical infrastructure information
Certain law enforcement, operations, or acquisition-sensitive data
Engineering drawings, technical manuals, and system specifications
Marked with CUI and often a category marking (e.g., `CUI//SP-EXPORT`)

Why this distinction matters for CMMC

FCI only → typically CMMC Level 1
CUI present → at least CMMC Level 2
High-value CUI / critical missions / advanced threats → candidate for CMMC Level 3

Visually, imagine a concentric circle diagram:

Outer ring: Public information (no CMMC scope)
Middle ring: FCI → Level 1
Inner ring: CUI → Level 2 or 3

Your first analytical task in any contract is to classify the data environment: Is this FCI only, CUI, or a mix?

Step 2 – Classify the Data: Mini Case Sorting Exercise

Apply the FCI vs. CUI distinction to these scenarios. For each, decide whether the primary data type is FCI, CUI, or neither.

Scenario A – Public brochure redesign

A small design firm is hired to redesign a DoD base’s public outreach brochure. All content comes from the base’s existing public website.

Scenario B – Logistics schedule

A trucking company receives a non-public shipment schedule for routine delivery of office supplies to a DoD facility. No technical specifications, just dates, quantities, and routing.

Scenario C – Technical drawings

An engineering firm receives detailed CAD drawings of a new unmanned aerial vehicle (UAV) component, marked with export-control warnings and `CUI` labels.

Scenario D – Invoicing portal

A SaaS provider hosts a secure portal used by multiple DoD subcontractors to submit invoices and performance reports that include internal cost breakdowns and non-public task descriptions.

Your task:

For each scenario, write down:
Your classification: Public / FCI / CUI
A one-sentence justification referencing the formal definitions from Step 1.

Then compare your reasoning with this answer key:

<summary><strong>Show suggested classifications and reasoning</strong></summary>

Scenario A: Public

Reason: All content is already public; no FCI or CUI.

Scenario B: FCI

Reason: Non-public information generated under a government contract, but not in a CUI category.

Scenario C: CUI

Reason: Technical data with export-control warnings and CUI markings; clearly in a protected CUI category.

Scenario D: Primarily FCI, potentially mixed with CUI depending on contract details

Reason: Non-public contract and performance data = FCI at minimum. If performance reports include technical performance on controlled systems, some of that could be CUI.

</details>

Reflect: Where did you hesitate? Those gray areas are exactly where CMMC level decisions become non-trivial.

Step 3 – CMMC Level 1: FCI and Basic Safeguarding

Core idea

CMMC Level 1 is about protecting FCI using basic cybersecurity hygiene. It maps closely to the 17 requirements in FAR 52.204-21.

Control expectations

Level 1 controls are relatively basic but must be actually implemented and documented. They include controls like:

Limiting system access to authorized users
Requiring strong passwords and account lockouts
Maintaining up-to-date antivirus and basic malware protection
Regularly updating and patching systems
Securely disposing of FCI (e.g., shredding, secure deletion)

No formal System Security Plan (SSP) is mandated at this level by the FAR clause itself, but in practice, contractors are expected to demonstrate how these safeguards are implemented, often via short policies or procedures.

Typical contractor profile

Organizations that:

Handle only FCI, no CUI
Provide relatively low-risk services or commodities, such as:
Janitorial and grounds maintenance
Basic facility services (non-mission-critical)
Office supplies
Non-technical professional services (e.g., basic consulting, training using public information)
Have limited IT complexity (e.g., mostly standard office productivity tools)

Assessment model (current practice under CMMC 2.0)

Assessment type: Annual self-assessment
Who performs it: The contractor (internal) using the DoD’s assessment methodology
Score reporting: Self-assessment results and affirmation are recorded in SPRS (Supplier Performance Risk System), typically as a score of 17 if all 17 practices are met
Affirmation: Senior official attests to the accuracy of the self-assessment

Level 1 is not “easy mode.” The DoD expects evidence that even these basic controls are in place and operating. For an auditor mindset, you should always ask: “How would I prove this control exists?”

Step 4 – CMMC Level 2: CUI and NIST SP 800-171 Alignment

Core idea

CMMC Level 2 is the primary level for protecting CUI. It directly aligns with NIST SP 800-171 (Rev. 2 historically, moving to Rev. 3 as DoD updates its references).

Control expectations

110 security requirements across 14 families (e.g., Access Control, Incident Response, Configuration Management)
Requires a System Security Plan (SSP) describing how each requirement is implemented
Requires a Plan of Action & Milestones (POA&M) for gaps, with defined closure timelines
Emphasis on documented, repeatable processes and risk-based implementation

Examples of requirements beyond Level 1:

Multi-factor authentication (MFA) for network and privileged access
Audit logging and log review for security-relevant events
Configuration baselines and change control
Formal incident response plan and testing
Controlled use of removable media

Typical contractor profile

Organizations that:

Receive, store, or process DoD CUI (e.g., technical data, design info, sensitive acquisition data)
Are involved in R&D, engineering, manufacturing, or sustainment of defense systems
Use more complex IT, often including:
On-premises servers or hybrid cloud
Multiple networks (corporate, production, lab)
Third-party managed services

Assessment models at Level 2

CMMC 2.0 differentiates between “prioritized” and “non-prioritized” CUI programs:

Level 2 – Self-assessment (non-prioritized CUI)

For contracts where CUI is present but not deemed critical to national security
Contractor conducts annual self-assessment against NIST 800-171
Score and SSP details are recorded in SPRS
Senior official submits a formal affirmation of the assessment

Level 2 – Third-party assessment (C3PAO) for prioritized CUI

For contracts where CUI is mission-critical or particularly sensitive
Requires a C3PAO-led assessment (Certified Third-Party Assessment Organization) every 3 years
Results in a CMMC Level 2 certification
May include limited POA&M use with strict closure deadlines for certain controls

The DoD determines which contracts require C3PAO assessments based on threat and impact analysis, not solely on whether CUI is present.

In practice, this creates a two-track Level 2 world: some organizations can remain on self-assessments, while others must budget and prepare for external audits.

Step 5 – CMMC Level 3: Advanced Protection for High-Value CUI

Core idea

CMMC Level 3 targets organizations facing advanced persistent threats (APTs) and protecting high-value CUI. It builds on Level 2 (NIST 800-171) and adds selected requirements from NIST SP 800-172.

Control expectations

All 110 NIST 800-171 requirements (Level 2 baseline)
Plus a subset of NIST 800-172 enhanced security requirements, such as:
More rigorous monitoring and analytics (e.g., behavioral analytics, anomaly detection)
Deception and isolation techniques (e.g., honeypots, decoy data)
Stronger protection of security-relevant information (e.g., protecting logs and security tooling from tampering)
Enhanced incident response and recovery capabilities
Expectation of an enterprise-level cybersecurity program with:
Mature governance
Robust threat intelligence integration
Advanced defensive tooling and skilled staff

Typical contractor profile

Organizations that:

Work on critical weapons systems, advanced R&D, or highly sensitive programs
Have networks that are known targets for sophisticated nation-state adversaries
Often operate classified environments as well, although CMMC Level 3 specifically addresses unclassified CUI systems

Assessment model at Level 3

Assessment type: Government-led assessments
Assessor: DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) or other DoD assessment teams
Frequency: Typically triennial (every 3 years), with possible interim reviews or continuous monitoring elements depending on program criticality
Depth: More intrusive and comprehensive than Level 2 C3PAO audits, potentially including:
Detailed technical testing
Evidence sampling across multiple sites
In-depth interviews with security and operations staff

Level 3 is not a simple incremental step from Level 2; it represents a qualitative jump in sophistication, cost, and organizational maturity. From a strategic standpoint, many small and mid-size contractors will never need Level 3 unless they deliberately pursue high-risk, high-value contracts.

Step 6 – Quick Check: Matching Levels, Data, and Assessments

Test your ability to match data type, CMMC level, and assessment model.

A mid-size engineering firm designs components for a new radar system. It receives CUI-marked technical data. The DoD has designated this program as 'prioritized' due to its national security importance. Which combination is most accurate?

CMMC Level 1; FCI only; annual self-assessment
CMMC Level 2; CUI; third-party (C3PAO) assessment every 3 years
CMMC Level 2; CUI; self-assessment only
CMMC Level 3; CUI; DIBCAC-led assessment every 3 years

Show Answer

Answer: B) CMMC Level 2; CUI; third-party (C3PAO) assessment every 3 years

The presence of CUI rules out Level 1. The scenario does not explicitly describe advanced 800-172-style controls or a Level 3 designation, but it does state that the program is 'prioritized', which under CMMC 2.0 is the trigger for a **Level 2 C3PAO-led assessment**. So the best match is: **CMMC Level 2; CUI; third-party (C3PAO) assessment every 3 years**.

Step 7 – Comparative Case Study: Three Contractors, Three Levels

Consider three hypothetical contractors in the Defense Industrial Base (DIB). Your job is to analyze and assign the most appropriate CMMC level and assessment model.

---

Contractor 1 – CleanSweep Facilities, Inc.

Provides janitorial and building maintenance for multiple DoD installations
Receives non-public work orders and schedules showing building layouts and access times
No access to technical data, R&D, or mission systems
Uses a commercial SaaS ticketing system and email

Analysis:

Data type: Non-public work orders → FCI
Threat profile: Low, mainly physical security timing concerns
Likely CMMC posture: Level 1, annual self-assessment

---

Contractor 2 – AeroTech Dynamics, LLC

Designs and manufactures airframe components for a next-generation aircraft
Receives CUI-marked technical data and produces its own design files
Has a small but capable IT team; uses hybrid on-prem/cloud for engineering data
Program is not designated as prioritized by the DoD

Analysis:

Data type: CUI (technical design data)
Threat profile: Moderate; important but not flagged as highest criticality
Likely CMMC posture: Level 2 (CUI), annual self-assessment (non-prioritized CUI)

---

Contractor 3 – CyberShield Defense Systems

Integrates mission systems for a critical missile-defense program
Handles extensive CUI, some of it highly sensitive, alongside classified work (classified systems are outside CMMC but indicate high overall sensitivity)
DoD has designated the program as critical to national security
Operates a 24/7 security operations center (SOC) with advanced monitoring

Analysis:

Data type: High-value CUI and classified (classified is beyond CMMC scope but relevant to threat level)
Threat profile: High; prime target for APTs
Likely CMMC posture: Level 3, DIBCAC-led assessments every 3 years

---

Thought exercise:

For each contractor, list two controls or capabilities that are clearly beyond the previous level. For example:
What does CyberShield have to do that AeroTech likely does not?
What does AeroTech have to do that CleanSweep likely does not?

This helps you articulate the qualitative jump between levels, not just the numeric difference.

Step 8 – Decision Framework: Choosing a Target CMMC Level

Now synthesize what you’ve learned into a decision framework you could apply as a security analyst or compliance lead.

A simple 4-question decision tree

Will we handle any CUI under this contract?

If no → Candidate for Level 1 (FCI only)
If yes → At least Level 2

Is the CUI associated with a DoD program designated as 'prioritized' or critical?

If no → Likely Level 2 – self-assessment
If yes → Likely Level 2 – C3PAO or Level 3, depending on threat and DoD direction

Does the contract documentation (RFP/RFQ) explicitly call out a CMMC level or assessment type?

If yes, that overrides your initial guess; your job is to align internal controls with the specified requirement
If no, your framework guides internal planning and bid/no-bid decisions

Do we have the organizational maturity to realistically achieve and sustain Level 2 or 3?

If no → Consider:
Limiting scope (e.g., enclave just for CUI)
Partnering with a prime contractor who already has higher-level capabilities
Declining high-risk contracts until maturity improves

Your task

Pick one of these hypothetical RFP snippets and determine the minimum CMMC level and assessment type you would plan for:

RFP X: “Contractor will provide lawn maintenance and snow removal services for DoD facilities. Access to internal scheduling systems and non-public facility maps will be required. No CUI will be provided.”
RFP Y: “Contractor will develop and test prototype components for a new unmanned ground vehicle. Technical data will be provided and is designated as CUI. This program has been designated as a DoD prioritized acquisition program.”
RFP Z: “Contractor will provide software development services for a logistics planning tool. The tool will process CUI related to deployment schedules. The DoD anticipates requiring CMMC Level 3 for this effort.”

Write down, for your chosen RFP:

Data type(s) in scope
Target CMMC level
Expected assessment model (self, C3PAO, DIBCAC)

Then compare with this suggested mapping:

<summary><strong>Show suggested answers</strong></summary>

RFP X: FCI only → Level 1, self-assessment
RFP Y: CUI, prioritized program → Level 2, C3PAO assessment
RFP Z: CUI, explicitly Level 3 → Level 3, DIBCAC-led assessment

</details>

Step 9 – Key Term Review: Data Types, Levels, and Assessments

Use these flashcards to reinforce the most important terms from this module.

Federal Contract Information (FCI): Information, not intended for public release, provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. It excludes public information and simple transactional data. Primarily drives CMMC Level 1 requirements.
Controlled Unclassified Information (CUI): Unclassified information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. In the DoD context, its protection is aligned with NIST SP 800-171 and primarily drives CMMC Level 2 and 3 requirements.
CMMC Level 1: The basic safeguarding level focused on protecting FCI, aligned with the 17 requirements of FAR 52.204-21. Uses annual self-assessments and is intended for contractors handling FCI only.
CMMC Level 2: The primary level for protecting CUI, aligned with the 110 requirements of NIST SP 800-171. Uses annual self-assessments for non-prioritized CUI and C3PAO-led assessments every 3 years for prioritized CUI programs.
CMMC Level 3: An advanced level for high-value CUI and organizations facing APT-level threats. Builds on Level 2 and adds selected NIST SP 800-172 requirements. Assessed by DIBCAC or other DoD teams, typically every 3 years.
C3PAO (Certified Third-Party Assessment Organization): An independent organization authorized by the DoD to perform CMMC Level 2 assessments for prioritized CUI programs. Issues certifications valid for a defined period (typically 3 years).
DIBCAC (Defense Industrial Base Cybersecurity Assessment Center): The DoD organization responsible for conducting government-led cybersecurity assessments of Defense Industrial Base contractors, including CMMC Level 3 and some high-priority assessments.
System Security Plan (SSP): A formal document describing the system boundary, environment, and how each applicable security requirement (e.g., from NIST SP 800-171) is implemented. Required for CMMC Level 2 and above.
Plan of Action & Milestones (POA&M): A document that identifies remaining gaps in meeting security requirements, along with planned remediation steps, responsible parties, and target completion dates. Used at Level 2 and 3 to manage residual risk.
Prioritized CUI Program: A DoD designation for programs whose CUI is particularly sensitive or mission-critical. This designation typically triggers a requirement for CMMC Level 2 with a C3PAO-led assessment rather than self-assessment.

Step 10 – Synthesis Quiz: Determine the Target CMMC Level

One final scenario to integrate levels, data types, and assessments.

SecureWave Software is bidding on a DoD contract to build an analytics tool that processes deployment schedules and logistics plans. The RFP states that the system will handle CUI and references NIST SP 800-171 requirements, but does not mention 'prioritized' status or a specific CMMC level. Which planning assumption is most defensible for SecureWave’s internal readiness efforts?

Plan for CMMC Level 1 with a self-assessment, because the RFP does not explicitly require CMMC.
Plan for CMMC Level 2 with a self-assessment, because CUI is present but there is no indication of prioritized status.
Plan for CMMC Level 2 with a C3PAO assessment, because any CUI automatically triggers third-party certification.
Plan for CMMC Level 3 with DIBCAC assessment, because deployment schedules are always considered high-value CUI.

Show Answer

Answer: B) Plan for CMMC Level 2 with a self-assessment, because CUI is present but there is no indication of prioritized status.

The presence of CUI rules out Level 1. The RFP does not state that the program is prioritized or that a specific CMMC level is required, so the most defensible baseline assumption is **CMMC Level 2 with self-assessment**. A C3PAO assessment is only triggered for **prioritized CUI programs**, and Level 3 is reserved for especially critical, high-risk efforts explicitly designated by the DoD.

Key Terms

CUI: Controlled Unclassified Information; unclassified information requiring safeguarding or dissemination controls per law, regulation, or policy. Drives CMMC Level 2 and 3 requirements.
FCI: Federal Contract Information; non-public information provided by or generated for the Government under a contract, excluding public and simple transactional information. Drives CMMC Level 1 requirements.
C3PAO: Certified Third-Party Assessment Organization; an independent entity authorized by the DoD to conduct CMMC Level 2 assessments for prioritized CUI programs.
POA&M: Plan of Action and Milestones; a management tool that outlines how and when an organization will correct deficiencies and reduce or eliminate vulnerabilities in its systems.
DIBCAC: Defense Industrial Base Cybersecurity Assessment Center; the DoD organization that conducts government-led cybersecurity and CMMC assessments, especially at Level 3.
CMMC 2.0: The current version of the Cybersecurity Maturity Model Certification program implemented by the U.S. Department of Defense to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base.
CMMC Level 1: The basic safeguarding level focused on protecting FCI, aligned with FAR 52.204-21. Uses annual self-assessments.
CMMC Level 2: The primary CMMC level for protecting CUI, aligned with NIST SP 800-171. Uses self-assessments for non-prioritized programs and C3PAO assessments for prioritized programs.
CMMC Level 3: An advanced CMMC level for high-value CUI and organizations facing sophisticated threats, adding selected NIST SP 800-172 requirements and assessed by DIBCAC or other DoD teams.
NIST SP 800-171: A NIST Special Publication specifying security requirements for protecting CUI in nonfederal systems and organizations; forms the basis of CMMC Level 2.
NIST SP 800-172: A NIST Special Publication providing enhanced security requirements for protecting CUI from advanced persistent threats; selected requirements inform CMMC Level 3.
Self-assessment: An internal evaluation conducted by the contractor to determine compliance with CMMC requirements, with results and affirmations reported to the DoD.
Third-party assessment: An external CMMC assessment conducted by an accredited C3PAO, required for certain Level 2 contracts handling prioritized CUI.
Prioritized CUI Program: A DoD designation for programs whose CUI is particularly sensitive or mission-critical, typically requiring CMMC Level 2 with a C3PAO-led assessment.
Government-led assessment: An assessment performed directly by DoD entities such as DIBCAC, required for CMMC Level 3 and some high-priority programs.
System Security Plan (SSP): A comprehensive document that describes a system’s boundary, environment, and how each applicable security requirement is implemented.